How Homeland Security agents reeled in a Chinese software pirate

Caught in a sting, Crack99.com owner pleaded guilty to piracy and wire fraud.

In June of 2011, Xiang Li sat in a hotel room in Saipan, trying to close a deal with US businessmen. The 35-year-old entrepreneur from Chengdu, China had brought along some samples of his wares—a collection of software on DVDs ready for resale; sample packaging materials and associated designs; and 20 gigabytes of proprietary data from software developers. And every bit of it was stolen.

The customers were already familiar with Xiang's business. They had made a number of purchases from him via the Internet through his site, Crack99.com. But what Xiang didn't know as he explained how to get the goods back through customs without raising suspicions was that his customers were planning on bringing back more than just pirated software to the US. They were undercover US Homeland Security Investigations (HSI) agents preparing to close a trap. And soon Xiang Li's short trip to Saipan became a much longer visit to a federal facility in Delaware.

Today, that unexpected trip got a whole lot longer. In a press conference today, US Attorney for the District of Delaware Charles M. Oberly III and Immigration and Customs Enforcement Director John Morton announced that Xiang had entered a guilty plea to charges of conspiracy to commit criminal copyright infringement and wire fraud. Xiang faces up to 25 years in prison, as well as fines for having sold over $100 million worth of pirated software to customers across the globe—including engineers and scientists working for the US government.

Xiang Li explains to undercover Homeland Security Investigations agents how to get pirated software and packaging material back through customs. (Source: Department of Homeland Security/ ICE)

The Crack99 pipeline

Xiang himself was not a hacker. He was an aggregator, paying others to circumvent the license keys and DRM of various software packages and then redistributing them through his site. Working with others who acted as a financial go-between, he sold from a library of about 550 different software titles, including sophisticated engineering design, modeling, and simulation tools that sold for as much as $250,000 through legitimate channels.

ICE has confirmed sales by Crack99 to at least 325 different purchasers worldwide; a third of his buyers were in the US. And some of his best customers were people working for the US government—and not in a law enforcement capacity.

One of those customers was Cosburn Wedderburn, now a former electronics engineer at NASA's Goddard Space Flight Center. Between 2008 and 2010, Wedderburn purchased 12 software packages from Xiang with a total retail value of over $1.2 million. Another, Dr. Wronald Best—a former US Navy scientist who had taken a position as chief scientist for a defense consulting firm in Kentucky—purchased 10 software packages worth over $600,000.

Some of the software companies whose products Xiang was illegally reselling were all too aware of what he was doing, since he openly advertised their software on his website. But because he operated out of China, and through a veil of anonymity online, there was little they could do directly to stop him. The software wasn't sold directly through the site, but through a network of filesharing servers around the world, and each purchase was negotiated through e-mail. As Xiang told investigators during the sting, he had a simple way of dealing with software firms who sent him e-mails telling him to stop selling their products—he just deleted the e-mails.

Xiang explaining his approach to dealing with DMCA requests to investigators in June of 2011. (Source: Department of Homeland Security/ ICE)

Going big, and getting caught

ICE began working its way toward Xiang in January of 2010, when agents started to make "controlled purchases" of pirated software from the Crack99.com site. They sent e-mails to Xiang negotiating the purchase of software, and made a total of $8,615 in payments to him and a partner via Western Union wire transfers.

One of the software products that agents were able to obtain through Crack99 during their investigation was Analytical Graphics, Inc.'s STK Pro: a simulation package used for modeling satellite orbits and 3-dimensional battlefield scenarios as well as simulating missile defense systems. The agents paid $1,000 for version 8.0 of the STK software; its retail license at the time sold for over $150,000. In November, just a few months after AGI released an upgrade, they purchased version 9.2.1 of STK and license keys from Xiang for $2,000 more; the software and modules they received were worth over $250,000.

A demo video of STK Pro's use in simulating a missile defense scenario. (Source: AGI)

In January, the investigation moved into its next phase. ICE undercover agents sent a message to Xiang saying that they wanted to discuss a plan to resell "cracked" software from him to small businesses in the US. He agreed, and for $1,467, he gave then 15 software products with circumvented licensing—and then offered to provide designs for counterfeit packaging for the software for $1,500 more. He also told agents he had "more pleasant surprises," including internal data from one software provider that he would sell them for an additional $3,000.

For the next few months, agents reeled Xiang in, finally getting him to agree to meet with them in Saipan in June. He arrived with pirated copies of 16 software packages, including a mix of simulation and modeling tools for computer, electronics and wireless communications engineering, along with packaging for them. And the internal data he promised included a trove of resources from one software developer, including code for a software license server, training materials, and other technical data.

Unfortunately for Xiang, Saipan is a US territory, and the ICE undercover agents were on home turf. As soon as he transferred the goods to his customers, he was arrested and prepared for transport back to Delaware.

What's Homeland Security doing going after overseas software pirates? I thought that department was created to keep us safe from terrorists...

Remember, the Customs Service got rolled into DHS. Even as part of DHS, they still continue their original task of doing actual customs things. Barring the entry of illegal goods into the United States is very much part of their job.

Hmm. Poking around Wikipedia some more and it seems that while the islands are under US federal law, they are not US customs territory. Nor are the people there considered US citizens as far as i can tell. All in all the whole thing seems to have some many special exemptions and such that it is hard to tell who is really running the show.

lol Saipan. So far off the beaten path (literally half way between continents), all sorts of red flags should have gone up (it's a 20hour flight from LAX). Seriously, if you wanted to meet in person (always a good idea when trafficking in stolen goods), then meet in Europe, the Middle East, heck, meet in Manila. How did this dumb fool run a $100m business?

lol Saipan. So far off the beaten path (literally half way between continents), all sorts of red flags should have gone up (it's a 20hour flight from LAX). Seriously, if you wanted to meet in person (always a good idea when trafficking in stolen goods), then meet in Europe, the Middle East, heck, meet in Manila. How did this dumb fool run a $100m business?

Like that would stop them. They will probably ask for assistance in whatever country they decide to set a trap.

A couple of points - I looked into moving to Saipan as a tax dodge so I am somewhat familiar with the place.

It is a commonwealth, just like Puerto Rico, so residents are american citizens and they have one or two non-voting pseudo-members of congress and they get a boatload of federal aid. However, unlike the other commonwealths, their equivalent of a state income tax is slightly negative (in the form of a rebate).

They do not require a passport for entry from much of Asia - it is a big tourist destination for the Chinese. In the past they even allowed people (lots of filipinos) in to work without requiring a green card. There was a huge textile industry there because they did not have a minimum wage, no real limits on importing foreign labor and no US import tariffs. That changed about a decade ago, the textile industry died overnight due to some new law out of Washington and many of them ended up getting stuck there in some sort of immigration limbo (I think it was their kids who had neither filipino nor US citizenship, but I'm fuzzy on the details).

Various saipanese factory owners were some of the biggest backers of Jack Abrahmoff - the "super lobbyist" who went to jail and was played by Kevin Spacey in a movie about his life.

The guy who founded fedex retired there (for the tax benefits) and ended up with a reputation of extreme immorality.

The weather is perfect. Basically the exact same highs and lows every single day of the year. Something like 85 days, 65 nights.

this is why i got into open source software. every issue here, from the moral questions to the financial questions, to the technical questions, are solved quite elegantly by simply paying someone to create open source code rather than proprietary. the monetary distribution systems haven't quite gotten to create sustainable models yet where that is profitable enough, but they are slowly getting there.

From the article: "One of the software products that agents were able to obtain through Crack99 during their investigation was Analytical Graphics, Inc.'s STK Pro: a simulation package used for modeling satellite orbits and 3-dimensional battlefield scenarios as well as simulating missile defense systems."

I also want to know who's buying that software...outside of...the military and space industry...which I assumed already had pretty good simulating software? And that if you were in that business you knew orbital mechanics already and can probably write the software yourself? Hmm perhaps my expectations are set a bit too high.

I also want to know who's buying that software...outside of...the military and space industry...which I assumed already had pretty good simulating software? And that if you were in that business you knew orbital mechanics already and can probably write the software yourself? Hmm perhaps my expectations are set a bit too high.

Writing software like STK on your own would take 10-20 man years. It's far more cost effective to buy it.

As an aside, a lot of STK, such as the missile interceptor tool, is export controlled and not available for sale in most the world, including China.

they purchased version 9.2.1 of STK and license keys from Xiang for $2,000 more

Why??

Type 'STK Pro torrent' into google and you'll find a torrent for 9.2.1 that was uploaded a year ago. That's not trying particularly hard... Do these people think that by paying 1% of the retail price to a shady operator from China they get some sort of security or support?

they purchased version 9.2.1 of STK and license keys from Xiang for $2,000 more

Why??

Type 'STK Pro torrent' into google and you'll find a torrent for 9.2.1 that was uploaded a year ago. That's not trying particularly hard... Do these people think that by paying 1% of the retail price to a shady operator from China they get some sort of security or support?

Because torrenting them will mean that they are also uploading them. I don't know about US laws about penalty for knowingly buying counterfeit goods but it's almost certainly going to be less severe than uploading them.

What's Homeland Security doing going after overseas software pirates? I thought that department was created to keep us safe from terrorists...

You're wrong. It isn't at all. The Department of Homeland Security was designed to share more information amongst various governmental agencies. It isn't meant to keep us safe from terrorists; it is meant to prevent all sorts of illegal activity.

The whole "Homeland security is all about terrorism" thing is pure nonsense spread by the media. It is called SECURITY for a reason.

Quote:

It's always hubris and greed. Had he not wondered into US territory, he would've been fine. I don't know how he overlooked the fact. Could've just met at some third country.

Well, had it been in any decent country he could have been extradited. China doesn't extradite people to the US, but plenty of other countries do. Same thing would have happened if he had gone to Japan or Singapore.

Saipan just means he doesn't have to be extradited.

Quote:

Because torrenting them will mean that they are also uploading them. I don't know about US laws about penalty for knowingly buying counterfeit goods but it's almost certainly going to be less severe than uploading them.

"a collection of software on DVDs ready for resale; sample packaging materials and associated designs; and 20 gigabytes of proprietary data from software developers. And every bit of it was stolen"

No, it was not stolen. The *software* was illegally copied and resold.The guy was an asshole for selling cracked software, but thats about it.

The software was most likely purchased retail at one of the many computer markets in Chengdu for his "dvds".While I haven't seen more than the indictment, I find it *extremely* unlikely that he is someone involved in creation of physical pirated goods. Its a lot more likely that he's simply buying it retail (pirated software is readily available for $1-$2 (RMB5-12) with packaging, although most simply download these days), and selling to suckers^Hclients online, ...and to the agents in Saipan.

The end does not justify the means here in any way shape or form.

Yes, what he did was wrong, but this looks more like entrapment. They could have taken the site(s) down relatively easily, and had the same effect.

Quote:

To quote the indictment - "...180-day period, for purpose of commercial advantage and private financial gain, willfully conspired to reproduce or distribute 10 or more copies o f one or more copyrighted works which have a total retail value of more than $2,500"

So, according to the government - Over 1/2 year, he resold +- 10 copies of licenced software *worth* > $2500 USD in TOTAL to US citizens.

In Saipan, they seized 32 dvd's, 1 old Dell laptop, hard drive, his cell phone, and 5 domain names. (Which looks like most of "his" software was CAD based from the url's).

This is almost a complete waste of time. They could have shut down the sites fairly easily, and taken further legal steps without needing an all expenses paid vacation for untold agents to Saipan. The total costs for this are substantially more than the *actual* damages.

He is lucky though - if he had copied an mp3, the damages would have been much much worse.

Because torrenting them will mean that they are also uploading them. I don't know about US laws about penalty for knowingly buying counterfeit goods but it's almost certainly going to be less severe than uploading them.

Both are felonies.

Really? I would have thought that trafficking counterfeit goods would be but not purchasing it and using it for yourself.

Definitely the companies didn't lose a single sale here. If you can afford a $250k piece of software you're not going to pirate it.

That is your logic? Who said their clients could afford a $250k software? There is a reason why they purchased from him, because they could not pay the real price for this softwares.

This is the same logic behind Megaupload. I don´t agree how that was handled, but most people that pirate software are not poor, some even pirate 10$ bucks and I hardly believe someone with a computer and Internet cannot afford 10$. Most hardcode games spend 300$ on his video card but then the same users pirate 5$ games.

I completely agree that someone that cannot afford something would not buy the software either, so you did not lost anything, but that is probably true for third world countries, not for Europe, US, etc.

How some people justify the piracy of software and then they spend on iPhone, iPad and expensive gear. Truth is that allot of people will take the easy route if they can get away with it.

I don´t agree with what the music industry and Hollywood in particular is doing. They are just to stupid to make their products available for everyone, most content is restricted for US and Europe, even if you want to buy a film you can´t. Netflix is the only one that is more or less going global and they are a huge success because they found out that even in poor countries people will pay for legal streaming. If this users cannot get a movie legally they will pirate because you don´t even allow them to buy.

But this is different for software that is available online and people start to look cracks and license for a 10$ software. That is just insulting. Don´t you think this developers need to earn something in order to keep releasing new versions? They don´t. Most people are so short sighted they think the software companies are already rich so they are not hurting them and allot, but allot of software companies are individual or very small companies that really need every penny.

lol Saipan. So far off the beaten path (literally half way between continents), all sorts of red flags should have gone up (it's a 20hour flight from LAX). Seriously, if you wanted to meet in person (always a good idea when trafficking in stolen goods), then meet in Europe, the Middle East, heck, meet in Manila. How did this dumb fool run a $100m business?

his is almost a complete waste of time. They could have shut down the sites fairly easily, and taken further legal steps without needing an all expenses paid vacation for untold agents to Saipan.

How do you propose American law enforcement shut down a Chinese web site? The only way to get the Chinese net police to do anything is to post something politically subversive. Pirated software is not politically subversive, and the Chinese are famous for doing nothing about pirated or fake stuff sold out of their country.

Quote:

The total costs for this are substantially more than the *actual* damages.

So, going by your logic, the police should never bother with petty theft such as shoplifting or pickpocketing, as the cost of police and prosecutor resources involved will always be too high compared to the damages (which will be at most a few hundred bucks per offense). And the mass searches for kidnapped children are not worthwhile because most parents only have something in the tens of thousands of dollars invested in a child, and the child is unlikely to earn back enough money in their lifetime to pay for the millions of dollars spent by the police in multiple jurisdictions. Murder? Only if the victim had a high-paying job that would have paid for the police expenses.

I hope you like it when you get burglarized, and the police doesn't lift a finger because the expense to them is more than your *actual* damage.

ICE has confirmed sales by Crack99 to at least 325 different purchasers worldwide; a third of his buyers were in the US. And some of his best customers were people working for the US government—and not in a law enforcement capacity.

This strikes me as a wonderful avenue for distributing custom malware into otherwise secure computers. Which is perhaps another reason DHS might be involved.

How do you propose American law enforcement shut down a Chinese web site? The only way to get the Chinese net police to do anything is to post something politically subversive. Pirated software is not politically subversive, and the Chinese are famous for doing nothing about pirated or fake stuff sold out of their country.

Unlike you I obviously read the indictment. All of the websites were .comThose, last time I looked were US web sites. .com is completely under US control.

Given that Homeland Insecurity can, and do shutdown sites that they don't like or sites that RIAA don't like, why do they need to nab an obviously small time crook.I never said I condoned it, I said that the response is completely inappropriate to run an enticement scam, oops, I meant law enforcement in a different country to catch someone who isn't really worth bothering with.

This is quite clear when you look at the indictment - The "sales" - 10 copies of licenced software to US based citizens. Over a 6 month period. Worth +- $2500 TOTAL.

So, he's selling pirated keys for $$ software for $250 +-

Unlike your fantasies, there is law here in China, and it wouldn't be too hard to sue him for damages in a Chinese court, assuming that the vendors were interested.

Again, I don't condone it, but I think the response does not match the crime.

Quote:

I hope you like it when you get burglarized, and the police doesn't lift a finger because the expense to them is more than your *actual* damage.

Happened last year. We got burgled, laptop was stolen. Its a very specific build, as I made it myself from parts. I found it for sale on Gumtree (a local 2nd hand website back home), and the police didn't want to help in any way shape or form.Does that make you feel better, now that something bad happened to someone who disagree's with you?

Its a lot more likely that he's simply buying it retail (pirated software is readily available for $1-$2 (RMB5-12) with packaging, although most simply download these days), and selling to suckers^Hclients online, ...and to the agents in Saipan.

This type of software is not readily available and not for those prices.

One of the old pirate software markets in Malaysia was selling pirated Oil & Gas related modeling and simulation software for downstream work. Specialized stuff. They were selling it there for 100s of dollars, not a few dollars.

He should have known that dealing with such specialized software suites would draw the heat. If Leupold rifle scopes can carry the warning that "The CQ/T® riflescope, parts, and accessories fall under the jurisdiction of the U.S. Department of State. Unless required State Department license is obtained, this product is for sale in the U.S.A. only." What do you think the potential export controls on industrial satellite simulation might be?

I bet that DHS interest in him has less to do with his ill-gotten money as it does with who's been shelling out money to simulate satellite trajectories. (Or design aircraft: http://en.wikipedia.org/wiki/CATIA)

Its very, very much illegal. In fact, selling or receiving stolen goods are both illegal, and indeed are the -same crime-. You can get up to ten years in prison for it.

The moral of the story is, don't buy stolen goods, or even goods you BELIEVE likely to be stolen or otherwise illicit. Its very, very bad news if the authorities decide to prosecute.

Quote:

Given that Homeland Insecurity can, and do shutdown sites that they don't like or sites that RIAA don't like, why do they need to nab an obviously small time crook.I never said I condoned it, I said that the response is completely inappropriate to run an enticement scam, oops, I meant law enforcement in a different country to catch someone who isn't really worth bothering with.

This guy is totally worth taking down. The Chinese are quite terrible about selling counterfeit goods and really steal a great deal from the rest of the world, with little repercussion. Its quite unfortunate, because there is little reciprocity possible.

The goods in question were also pretty high profile; I can see why the government would be concerned, given how few people actually need such software. And the fact that he's hurting companies that make software for a very small customer base is very bad. The reason those licenses are so expensive is because most people don't need to track satellites.

Quote:

Unlike your fantasies, there is law here in China, and it wouldn't be too hard to sue him for damages in a Chinese court, assuming that the vendors were interested.

Quote:

Happened last year. We got burgled, laptop was stolen. Its a very specific build, as I made it myself from parts. I found it for sale on Gumtree (a local 2nd hand website back home), and the police didn't want to help in any way shape or form.Does that make you feel better, now that something bad happened to someone who disagree's with you?

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.